Google patches 20-year-old Chrome bug that exposed users' browsing history
Apr 15, 2025 at 4:23 PM

Google patches 20-year-old Chrome bug that exposed users' browsing history

Google is addressing a 20-year-old privacy vulnerability in Google Chrome with the upcoming release of version 136. This issue involves the global storage of visited link data, allowing previously clicked links to appear as "visited" across different websites. By exposing parts of a user's browsing history, it opens the door to profiling, tracking, phishing, and other cyber attacks, raising serious privacy and security concerns. The vulnerability has been present since Chrome's early versions and has been exploited in various cyberattacks.

The new update will introduce "triple-key partitioning," a system that stores visited link data based on site and frame origin, reducing cross-site tracking. Under this system, a link will only appear as visited if clicked on the same website and frame origin, with exceptions for "self-links."

This fix will be enabled by default in Chrome 136. For users on versions 132 to 135, the fix can be manually activated through Chrome's settings, although it remains experimental until the official rollout.

Apr 15, 2025 by Mauricio B. Holguin

edenwOpenSourceSoftware
edenw found this interesting
MORE ABOUT: #Web Browsers#Google Chrome
Google Chrome iconGoogle Chrome
  4948
  • ...

Google Chrome is a widely-used web browser built on Google's Chromium platform. It supports multiple user accounts and syncs seamlessly across devices, offering features like an integrated password manager, dark mode, and real-time translation of websites. Rated 3.3, it is extensible through plugins and extensions, with top alternatives including Mozilla Firefox, Brave, and Vivaldi.

Related news

All news about Google Chrome »

External links

Comments

Navi
Apr 16, 2025
0

In short it's a feature that is insecure for privacy, not a bug.

I never liked this feature to begin with and I never have seen anyone say they like all the links they visited to be visible by anyone who looks over their shoulder after they cleared their browsing history.

UserPower
Apr 15, 2025
4

Well, "bug" may be too harsh. It's pretty much the behavior users expect too see. Each time an user click on a link, the link text color turns from blue to purple (by default). It's very useful like on search engine to find a previously visited websites. And since websites can use styling to change the color of visited links on their websites, it's very easy to track colors to see if a random website have already been visited. Google now only shows a link as visited if it has already been visited for the very same current website after coming the same previous website, which make the functionality much less useful (like on a search engine, where results are now shows as visited only if the search has been done from the same previous website, like the search engine home page, and not for example from the address bar). But, as always, greater privacy, or security, reduces usability. It's often a delicate balance.

2 replies
Navi
Apr 16, 2025

Greater privacy and security does not inherently reduce usability if someone never uses a feature or if there is a way to preserve a feature that is more secure and private than previous methods or if a similar but better more secure feature replaces something. It's not an 'always' thing.

Sequester3480
Apr 19, 2025

I don't see why exactly this happens. Doesn't the browser just compare a link with my history and apply a:visited CSS styling to those? Why would any website have access to that? If I did that manually in the Web Inspector tools, no site would know. I guess I don't fully understand this issue or why Google has to make it so that only visits at the site itself will be styled as such.

Gu